Amidst the fallout of the 2008 Financial Crisis, the country screamed for reform. In consultation with then-Rep. Barney Frank and Sen. Chris Dodd, President Obama announced in June of 2009 that he would be spearheading a proposal for “a sweeping overhaul of the financial regulatory system, a transformation on a scale not seen since the reforms that followed the Great Depression.” The result was the eponymously named Dodd–Frank Wall Street Reform and Consumer Protection Act.
Dodd-Frank is a behemoth of legislation. Still heavily critiqued, the law fundamentally restructured the way the banking industry is regulated in the United States and established significant new regulatory bodies including the Consumer Financial Protection Bureau (CFPB), Federal Insurance Office (FIO), and Financial Stability Oversight Council (FSOC). But, tucked within the nearly 850 pages of financial legalese, sits a small provision of just over 300 words that may have done more to shape the future of consumer finance than any other provision.
Sec. 1033 of Dodd-Frank outlines a consumer right to access information about oneself, “including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data.” Crucially, the law as amended by Congress and as interpreted by the CFPB prohibits data providers from imposing any fees or charges on a consumer or an authorized third party for the provision of their financial data. The result of this relatively minor policy change has been a veritable flourishing of consumer financial startups since the law’s enactment. But now all of that innovation and all of those startups may soon go the way of the dinosaurs as the CFPB reconsiders its interpretation of Sec. 1033.
Why Sec. 1033 Works
Section 1033 rests on a straightforward premise: people should be able to obtain and direct their own financial records in a standard, usable format. That premise has been powerful because it changes how competition works. When consumers can give a budgeting tool, lender, or savings app permission to read their transaction history through secure interfaces, switching costs fall and incumbents have to win on service rather than captivity. This doesn’t bless any particular startup; it creates a new way for ideas to contend on the merits.
The fee prohibition is the hinge. If banks can charge consumers or their authorized agents for basic data access, portability becomes a tax rather than a right. The costs will be passed through to users or embedded in worse ways: reduced features, throttled refresh rates, thinner analytics. Small firms will pay the highest price. Each marginal user will carry a toll that blunts the economics of experimentation. The temptation for targeted “commercial” restrictions will grow, too, which end up raising prices for certain uses, slowing data for rivals, or offering better terms to a favored partner. Call it cost recovery if you like, but, in practice, fees often function as a gate.
Security arguments don’t cut against Sec. 1033 either; they cut in its favor. Users already connect apps to accounts. In the absence of standard, revocable, token-based access, they resort to password sharing and screen scraping. In the worst case scenario, users are forced to download their own information and then reupload it to a third-party, opening the whole system up to new attack vectors. APIs with clear scopes, consent records, and revocation windows are safer than the pre-Sec. 1033 status quo. The right way to reduce risk is to move the market off brittle workarounds, not to make permissioned access more expensive.
Finally, portability makes the system more resilient. When data can be moved predictably, an outage or a contractual spat doesn’t freeze consumers in place. A diverse ecosystem of providers can interoperate instead of relying on a few bespoke pipes controlled by the largest players.
The Real Cost Question
Maintaining modern interfaces isn’t free. But the right question for public policy is whether the benefits of portability exceed those costs. The answer in this case is yes because the gains accrue broadly: clearer consumer choice, more accurate underwriting from cash-flow data, better personal finance tools, and fewer incentives to hoard credentials. We have precedents for this approach. Number portability in telecommunications, basic access mandates in payments, and long-standing data rights in other sectors all reflect a simple bargain that participation in regulated markets should come with interoperability obligations.
Fees that require third-parties to pay per-data call are the wrong instrument for cost recovery. They push providers to meter access and degrade features that depend on timely data. They also produce uneven results across institutions with different negotiating leverage, undermining the point of a uniform right. If small banks truly face disproportionate burdens, there are cleaner solutions. Phase compliance for the smallest institutions; support shared API utilities and certification programs; provide safe harbors for standardized formats. Most of all, keep the rule simple: consumers and their authorized third parties can get covered data in a usable form, without a toll.
Critics will say that a blanket ban on fees invites freeloading by data aggregators. That’s a manageable risk. Third parties should and do currently meet baseline obligations such as data minimization, deletion when consent ends, clear disclosures, and robust security controls. Those expectations are not incompatible with a fee-free right of access. They are the conditions for it.
There’s also the claim that free access invites overuse, that it creates a problem of too many queries carrying too much load. That is an engineering problem, not a reason to reinstate tolls. Standards can address refresh frequency, data fields, and efficient pagination. Uptime and performance metrics can be monitored. Abuse can be sanctioned. None of that requires charging consumers to use what the law already recognizes as theirs.
Keep the Principle, Improve the Plumbing
As the CFPB reconsiders how Sec. 1033 should work, the Bureau should reaffirm the core of the statute and focus its energy on implementation details that matter.
First, it should lock in a narrow, durable definition of covered data with sensible extensions over time. Start with what’s already widely used—account and transaction information, fees, interest, and basic account attributes—so interfaces are predictable and testing is straightforward. Leave room for public processes to add new fields, but resist turning the rule into a moving target.
Second, the Bureau should standardize consent. Consumers should see who is asking for access, for what purpose, for how long, and how to revoke. Third parties should certify that they only collect what they need and honor revocation promptly. This is important as sunset defaults reduce “consent drift” where stale permissions linger unnoticed.
Third, the Bureau should police interference. The spirit of Sec. 1033 is frustrated when data is technically available but practically unusable because it is delivered in the wrong format, at irregular intervals, or with arbitrary hurdles. A clear nondiscrimination rule, backed by transparent reporting on uptime and error rates, will keep the field level.
If policymakers worry that an absolutist stance will ossify the ecosystem, they should remember what made Sec. 1033 valuable in the first place: clarity. A stable, fee-free portability right tells entrepreneurs and incumbents alike how to build. It reduces regulatory whiplash and keeps investment focused on better products, not on bargaining for bespoke access.
The stakes are concrete. Reopening the door to data-access fees would tilt the market toward firms with the scale to absorb them and toward closed, bilateral deals that the consumer never sees. It would revive the very frictions that interoperability was meant to eliminate. Keeping Sec. 1033 intact does not guarantee a perfect market, but it does preserve the conditions for progress. The lesson of Dodd–Frank’s most forward-looking provision is modest but profound: give people control over their own records, and better services will meet them. Section 1033 made that control real. It should remain so.
